diff options
| author |   Yury German <blueknight@gentoo.org> | 2016-02-12 22:22:00 -0500 |
|---|---|---|
| committer | Yury German <blueknight@gentoo.org> | 2016-02-12 22:22:00 -0500 |
| commit | 657cafe0e955cf88033597f131aa50835140c617 (patch) | |
| tree | cf21a30d319cb2a238a6cfb8b4eb3b20b1b5dcff /plugins/openid/lib | |
| parent | Adding New Mantra version 2.4.1.1 - Bug 574468 (diff) | |
| download | blogs-gentoo-657cafe0e955cf88033597f131aa50835140c617.tar.gz blogs-gentoo-657cafe0e955cf88033597f131aa50835140c617.tar.bz2 blogs-gentoo-657cafe0e955cf88033597f131aa50835140c617.zip | |
Updating plugins easy-table, jetpack, openid, public-post preview, talbe-of-contents-plus, wordress-mobile-pack - Bug 574468
Diffstat (limited to 'plugins/openid/lib')
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/Consumer.php | 21 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/Extension.php | 11 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/FileStore.php | 13 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/MDB2Store.php | 26 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/Message.php | 6 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/PredisStore.php | 211 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/SQLStore.php | 2 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/TrustRoot.php | 4 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/OpenID/URINorm.php | 12 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/Yadis/Manager.php | 4 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/Yadis/ParanoidHTTPFetcher.php | 16 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/Yadis/ParseHTML.php | 25 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/Yadis/XML.php | 24 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/Yadis/XRDS.php | 2 | ||||
| -rw-r--r-- | plugins/openid/lib/Auth/Yadis/Yadis.php | 2 |
15 files changed, 306 insertions, 73 deletions
diff --git a/plugins/openid/lib/Auth/OpenID/Consumer.php b/plugins/openid/lib/Auth/OpenID/Consumer.php index d562e33f..9ac0c500 100644 --- a/plugins/openid/lib/Auth/OpenID/Consumer.php +++ b/plugins/openid/lib/Auth/OpenID/Consumer.php @@ -29,7 +29,7 @@ * identity check. * * LIBRARY DESIGN - * + * * This consumer library is designed with that flow in mind. The goal * is to make it as easy as possible to perform the above steps * securely. @@ -427,7 +427,7 @@ class Auth_OpenID_Consumer { $loader->fromSession($endpoint_data); $message = Auth_OpenID_Message::fromPostArgs($query); - $response = $this->consumer->complete($message, $endpoint, + $response = $this->consumer->complete($message, $endpoint, $current_url); $this->session->del($this->_token_key); @@ -616,6 +616,9 @@ class Auth_OpenID_GenericConsumer { $this->store = $store; $this->negotiator = Auth_OpenID_getDefaultNegotiator(); $this->_use_assocs = (is_null($this->store) ? false : true); + if (get_class($this->store) == "Auth_OpenID_DumbStore") { + $this->_use_assocs = false; + } $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); @@ -666,7 +669,7 @@ class Auth_OpenID_GenericConsumer { '_completeInvalid'); return call_user_func_array(array($this, $method), - array($message, &$endpoint, $return_to)); + array($message, $endpoint, $return_to)); } /** @@ -1186,7 +1189,7 @@ class Auth_OpenID_GenericConsumer { list($unused, $services) = call_user_func_array($this->discoverMethod, array( $claimed_id, - &$this->fetcher, + $this->fetcher, )); if (!$services) { @@ -1202,7 +1205,7 @@ class Auth_OpenID_GenericConsumer { /** * @access private */ - function _verifyDiscoveryServices($claimed_id, + function _verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints) { // Search the services resulting from discovery to find one @@ -1210,7 +1213,7 @@ class Auth_OpenID_GenericConsumer { foreach ($services as $endpoint) { foreach ($to_match_endpoints as $to_match_endpoint) { - $result = $this->_verifyDiscoverySingle($endpoint, + $result = $this->_verifyDiscoverySingle($endpoint, $to_match_endpoint); if (!Auth_OpenID::isFailure($result)) { @@ -1368,7 +1371,7 @@ class Auth_OpenID_GenericConsumer { } } $ca_message = $message->copy(); - $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', + $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 'check_authentication'); return $ca_message; } @@ -1606,7 +1609,7 @@ class Auth_OpenID_GenericConsumer { $expires_in = Auth_OpenID::intval($expires_in_str); if ($expires_in === false) { - + $err = sprintf("Could not parse expires_in from association ". "response %s", print_r($assoc_response, true)); return new Auth_OpenID_FailureResponse(null, $err); @@ -1953,7 +1956,7 @@ class Auth_OpenID_AuthRequest { function htmlMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null) { - $form = $this->formMarkup($realm, $return_to, $immediate, + $form = $this->formMarkup($realm, $return_to, $immediate, $form_tag_attrs); if (Auth_OpenID::isFailure($form)) { diff --git a/plugins/openid/lib/Auth/OpenID/Extension.php b/plugins/openid/lib/Auth/OpenID/Extension.php index c4e38c03..542a1da2 100644 --- a/plugins/openid/lib/Auth/OpenID/Extension.php +++ b/plugins/openid/lib/Auth/OpenID/Extension.php @@ -39,7 +39,7 @@ class Auth_OpenID_Extension { * * Returns the message with the extension arguments added. */ - function toMessage($message) + function toMessage($message, $request = null) { $implicit = $message->isOpenID1(); $added = $message->namespaces->addAlias($this->ns_uri, @@ -53,8 +53,13 @@ class Auth_OpenID_Extension { } } - $message->updateArgs($this->ns_uri, - $this->getExtensionArgs()); + if ($request !== null) { + $message->updateArgs($this->ns_uri, + $this->getExtensionArgs($request)); + } else { + $message->updateArgs($this->ns_uri, + $this->getExtensionArgs()); + } return $message; } } diff --git a/plugins/openid/lib/Auth/OpenID/FileStore.php b/plugins/openid/lib/Auth/OpenID/FileStore.php index 074421a0..d74f83dc 100644 --- a/plugins/openid/lib/Auth/OpenID/FileStore.php +++ b/plugins/openid/lib/Auth/OpenID/FileStore.php @@ -300,13 +300,22 @@ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { return null; } + if (file_exists($filename) !== true) { + return null; + } + $assoc_file = @fopen($filename, 'rb'); if ($assoc_file === false) { return null; } - $assoc_s = fread($assoc_file, filesize($filename)); + $filesize = filesize($filename); + if ($filesize === false || $filesize <= 0) { + return null; + } + + $assoc_s = fread($assoc_file, $filesize); fclose($assoc_file); if (!$assoc_s) { @@ -473,7 +482,7 @@ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { } if ($handle = opendir($dir)) { - while ($item = readdir($handle)) { + while (false !== ($item = readdir($handle))) { if (!in_array($item, array('.', '..'))) { if (is_dir($dir . $item)) { diff --git a/plugins/openid/lib/Auth/OpenID/MDB2Store.php b/plugins/openid/lib/Auth/OpenID/MDB2Store.php index 80024bad..fb27d5c4 100644 --- a/plugins/openid/lib/Auth/OpenID/MDB2Store.php +++ b/plugins/openid/lib/Auth/OpenID/MDB2Store.php @@ -85,7 +85,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { // column name instead of column index. $this->connection->setFetchMode(MDB2_FETCHMODE_ASSOC); - if (PEAR::isError($this->connection->loadModule('Extended'))) { + if (@PEAR::isError($this->connection->loadModule('Extended'))) { trigger_error("Unable to load MDB2_Extended module", E_USER_ERROR); return; } @@ -103,7 +103,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { function tableExists($table_name) { - return !PEAR::isError($this->connection->query( + return !@PEAR::isError($this->connection->query( sprintf("SELECT * FROM %s LIMIT 0", $table_name))); } @@ -135,12 +135,12 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { " UNIQUE (server_url(255), timestamp, salt)\n". ") TYPE=InnoDB", $this->nonces_table_name)); - if (PEAR::isError($r)) { + if (@PEAR::isError($r)) { return false; } break; default: - if (PEAR::isError( + if (@PEAR::isError( $this->connection->loadModule('Manager'))) { return false; } @@ -172,7 +172,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { $r = $this->connection->createTable($this->nonces_table_name, $fields); - if (PEAR::isError($r)) { + if (@PEAR::isError($r)) { return false; } @@ -180,7 +180,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { $this->nonces_table_name, $this->nonces_table_name . "_constraint", $constraint); - if (PEAR::isError($r)) { + if (@PEAR::isError($r)) { return false; } break; @@ -208,12 +208,12 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { " PRIMARY KEY (server_url(255), handle)\n". ") TYPE=InnoDB", $this->associations_table_name)); - if (PEAR::isError($r)) { + if (@PEAR::isError($r)) { return false; } break; default: - if (PEAR::isError( + if (@PEAR::isError( $this->connection->loadModule('Manager'))) { return false; } @@ -258,7 +258,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { $this->associations_table_name, $fields, $options); - if (PEAR::isError($r)) { + if (@PEAR::isError($r)) { return false; } break; @@ -293,7 +293,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { ) ); - return !PEAR::isError($this->connection->replace( + return !@PEAR::isError($this->connection->replace( $this->associations_table_name, $fields)); } @@ -340,7 +340,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { $assoc = $this->connection->getRow($sql, $types, $params); - if (!$assoc || PEAR::isError($assoc)) { + if (!$assoc || @PEAR::isError($assoc)) { return null; } else { $association = new Auth_OpenID_Association($assoc['handle'], @@ -361,7 +361,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { $this->associations_table_name), array($server_url, $handle)); - if (PEAR::isError($r) || $r == 0) { + if (@PEAR::isError($r) || $r == 0) { return false; } return true; @@ -389,7 +389,7 @@ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { $fields, MDB2_AUTOQUERY_INSERT); - if (PEAR::isError($r)) { + if (@PEAR::isError($r)) { return false; } return true; diff --git a/plugins/openid/lib/Auth/OpenID/Message.php b/plugins/openid/lib/Auth/OpenID/Message.php index 9a5b20d0..16ec1c1d 100644 --- a/plugins/openid/lib/Auth/OpenID/Message.php +++ b/plugins/openid/lib/Auth/OpenID/Message.php @@ -675,7 +675,7 @@ class Auth_OpenID_Message { if ($form_tag_attrs) { foreach ($form_tag_attrs as $name => $attr) { - $form .= sprintf(" %s=\"%s\"", $name, $attr); + $form .= sprintf(" %s=\"%s\"", $name, htmlspecialchars($attr)); } } @@ -684,11 +684,11 @@ class Auth_OpenID_Message { foreach ($this->toPostArgs() as $name => $value) { $form .= sprintf( "<input type=\"hidden\" name=\"%s\" value=\"%s\" />\n", - $name, urldecode($value)); + htmlspecialchars($name), htmlspecialchars($value)); } $form .= sprintf("<input type=\"submit\" value=\"%s\" />\n", - $submit_text); + htmlspecialchars($submit_text)); $form .= "</form>\n"; diff --git a/plugins/openid/lib/Auth/OpenID/PredisStore.php b/plugins/openid/lib/Auth/OpenID/PredisStore.php new file mode 100644 index 00000000..14ecbbd6 --- /dev/null +++ b/plugins/openid/lib/Auth/OpenID/PredisStore.php @@ -0,0 +1,211 @@ +<?php + +/** + * Supplies Redis server store backend for OpenID servers and consumers. + * Uses Predis library {@see https://github.com/nrk/predis}. + * Requires PHP >= 5.3. + * + * LICENSE: See the COPYING file included in this distribution. + * + * @package OpenID + * @author Ville Mattila <ville@eventio.fi> + * @copyright 2008 JanRain Inc., 2013 Eventio Oy / Ville Mattila + * @license http://www.apache.org/licenses/LICENSE-2.0 Apache + * Contributed by Eventio Oy <http://www.eventio.fi/> + */ + +/** + * Import the interface for creating a new store class. + */ +require_once 'Auth/OpenID/Interface.php'; + +/** + * Supplies Redis server store backend for OpenID servers and consumers. + * Uses Predis library {@see https://github.com/nrk/predis}. + * Requires PHP >= 5.3. + * + * @package OpenID + */ +class Auth_OpenID_PredisStore extends Auth_OpenID_OpenIDStore { + + /** + * @var \Predis\Client + */ + protected $redis; + + /** + * Prefix for Redis keys + * @var string + */ + protected $prefix; + + /** + * Initializes a new {@link Auth_OpenID_PredisStore} instance. + * + * @param \Predis\Client $redis Predis client object + * @param string $prefix Prefix for all keys stored to the Redis + */ + function Auth_OpenID_PredisStore(\Predis\Client $redis, $prefix = '') + { + $this->prefix = $prefix; + $this->redis = $redis; + } + + /** + * Store association until its expiration time in Redis server. + * Overwrites any existing association with same server_url and + * handle. Handles list of associations for every server. + */ + function storeAssociation($server_url, $association) + { + // create Redis keys for association itself + // and list of associations for this server + $associationKey = $this->associationKey($server_url, + $association->handle); + $serverKey = $this->associationServerKey($server_url); + + // save association to server's associations' keys list + $this->redis->lpush( + $serverKey, + $associationKey + ); + + // Will touch the association list expiration, to avoid filling up + $newExpiration = ($association->issued + $association->lifetime); + + $expirationKey = $serverKey.'_expires_at'; + $expiration = $this->redis->get($expirationKey); + if (!$expiration || $newExpiration > $expiration) { + $this->redis->set($expirationKey, $newExpiration); + $this->redis->expireat($serverKey, $newExpiration); + $this->redis->expireat($expirationKey, $newExpiration); + } + + // save association itself, will automatically expire + $this->redis->setex( + $associationKey, + $newExpiration - time(), + serialize($association) + ); + } + + /** + * Read association from Redis. If no handle given + * and multiple associations found, returns latest issued + */ + function getAssociation($server_url, $handle = null) + { + // simple case: handle given + if ($handle !== null) { + return $this->getAssociationFromServer( + $this->associationKey($server_url, $handle) + ); + } + + // no handle given, receiving the latest issued + $serverKey = $this->associationServerKey($server_url); + $lastKey = $this->redis->lindex($serverKey, -1); + if (!$lastKey) { + // no previous association with this server + return null; + } + + // get association, return null if failed + return $this->getAssociationFromServer($lastKey); + } + + /** + * Function to actually receive and unserialize the association + * from the server. + */ + private function getAssociationFromServer($associationKey) + { + $association = $this->redis->get($associationKey); + return $association ? unserialize($association) : null; + } + + /** + * Immediately delete association from Redis. + */ + function removeAssociation($server_url, $handle) + { + // create Redis keys + $serverKey = $this->associationServerKey($server_url); + $associationKey = $this->associationKey($server_url, + $handle); + + // Removing the association from the server's association list + $removed = $this->redis->lrem($serverKey, 0, $associationKey); + if ($removed < 1) { + return false; + } + + // Delete the association itself + return $this->redis->del($associationKey); + } + + /** + * Create nonce for server and salt, expiring after + * $Auth_OpenID_SKEW seconds. + */ + function useNonce($server_url, $timestamp, $salt) + { + global $Auth_OpenID_SKEW; + + // save one request to memcache when nonce obviously expired + if (abs($timestamp - time()) > $Auth_OpenID_SKEW) { + return false; + } + + // SETNX will set the value only of the key doesn't exist yet. + $nonceKey = $this->nonceKey($server_url, $salt); + $added = $this->redis->setnx($nonceKey, "1"); + if ($added) { + // Will set expiration + $this->redis->expire($nonceKey, $Auth_OpenID_SKEW); + return true; + } else { + return false; + } + } + + /** + * Build up nonce key + */ + private function nonceKey($server_url, $salt) + { + return $this->prefix . + 'openid_nonce_' . + sha1($server_url) . '_' . sha1($salt); + } + + /** + * Key is prefixed with $prefix and 'openid_association_' string + */ + function associationKey($server_url, $handle = null) + { + return $this->prefix . + 'openid_association_' . + sha1($server_url) . '_' . sha1($handle); + } + + /** + * Key is prefixed with $prefix and 'openid_association_server_' string + */ + function associationServerKey($server_url) + { + return $this->prefix . + 'openid_association_server_' . + sha1($server_url); + } + + /** + * Report that this storage doesn't support cleanup + */ + function supportsCleanup() + { + return false; + } + +} + diff --git a/plugins/openid/lib/Auth/OpenID/SQLStore.php b/plugins/openid/lib/Auth/OpenID/SQLStore.php index c0405973..2dc731a7 100644 --- a/plugins/openid/lib/Auth/OpenID/SQLStore.php +++ b/plugins/openid/lib/Auth/OpenID/SQLStore.php @@ -166,7 +166,7 @@ class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore { */ function isError($value) { - return PEAR::isError($value); + return @PEAR::isError($value); } /** diff --git a/plugins/openid/lib/Auth/OpenID/TrustRoot.php b/plugins/openid/lib/Auth/OpenID/TrustRoot.php index 000440b5..5e694907 100644 --- a/plugins/openid/lib/Auth/OpenID/TrustRoot.php +++ b/plugins/openid/lib/Auth/OpenID/TrustRoot.php @@ -210,7 +210,7 @@ class Auth_OpenID_TrustRoot { if ($parts['host'] == 'localhost') { return true; } - + $host_parts = explode('.', $parts['host']); if ($parts['wildcard']) { // Remove the empty string from the beginning of the array @@ -413,7 +413,7 @@ function Auth_OpenID_getAllowedReturnURLs($relying_party_url, $fetcher, } call_user_func_array($discover_function, - array($relying_party_url, &$fetcher)); + array($relying_party_url, $fetcher)); $return_to_urls = array(); $matching_endpoints = Auth_OpenID_extractReturnURL($endpoints); diff --git a/plugins/openid/lib/Auth/OpenID/URINorm.php b/plugins/openid/lib/Auth/OpenID/URINorm.php index c051b550..32e84588 100644 --- a/plugins/openid/lib/Auth/OpenID/URINorm.php +++ b/plugins/openid/lib/Auth/OpenID/URINorm.php @@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo) function Auth_OpenID_pct_encoded_replace($mo) { - return chr(intval($mo[1], 16)); + $code = intval($mo[1], 16); + + // Prevent request splitting by ignoring newline and space characters + if($code === 0xA || $code === 0xD || $code === ord(' ')) + { + return $mo[0]; + } + else + { + return chr($code); + } } function Auth_OpenID_remove_dot_segments($path) diff --git a/plugins/openid/lib/Auth/Yadis/Manager.php b/plugins/openid/lib/Auth/Yadis/Manager.php index 3f54fd0b..664521c9 100644 --- a/plugins/openid/lib/Auth/Yadis/Manager.php +++ b/plugins/openid/lib/Auth/Yadis/Manager.php @@ -37,7 +37,7 @@ class Auth_Yadis_PHPSession { */ function get($name, $default=null) { - if (array_key_exists($name, $_SESSION)) { + if (isset($_SESSION) && array_key_exists($name, $_SESSION)) { return $_SESSION[$name]; } else { return $default; @@ -414,7 +414,7 @@ class Auth_Yadis_Discovery { list($yadis_url, $services) = call_user_func_array($discover_cb, array( $this->url, - &$fetcher, + $fetcher, )); $manager = $this->createManager($services, $yadis_url); diff --git a/plugins/openid/lib/Auth/Yadis/ParanoidHTTPFetcher.php b/plugins/openid/lib/Auth/Yadis/ParanoidHTTPFetcher.php index 4848a2bd..627ea9a8 100644 --- a/plugins/openid/lib/Auth/Yadis/ParanoidHTTPFetcher.php +++ b/plugins/openid/lib/Auth/Yadis/ParanoidHTTPFetcher.php @@ -90,6 +90,15 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { $this->reset(); $c = curl_init(); + if (defined('Auth_OpenID_DISABLE_SSL_VERIFYPEER') + && Auth_OpenID_DISABLE_SSL_VERIFYPEER === true) { + trigger_error( + 'You have disabled SSL verifcation, this is a TERRIBLE ' . + 'idea in almost all cases. Set Auth_OpenID_DISABLE_SSL_' . + 'VERIFYPEER to false if you want to be safe again', + E_USER_WARNING); + curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false); + } if ($c === false) { Auth_OpenID::log( @@ -179,10 +188,6 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { } } - Auth_OpenID::log( - "Successfully fetched '%s': GET response code %s", - $url, $code); - return new Auth_Yadis_HTTPResponse($url, $code, $new_headers, $body); } @@ -263,9 +268,6 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { } - Auth_OpenID::log("Successfully fetched '%s': POST response code %s", - $url, $code); - return new Auth_Yadis_HTTPResponse($url, $code, $new_headers, $body); } diff --git a/plugins/openid/lib/Auth/Yadis/ParseHTML.php b/plugins/openid/lib/Auth/Yadis/ParseHTML.php index 6f0f8b7e..255d7cd2 100644 --- a/plugins/openid/lib/Auth/Yadis/ParseHTML.php +++ b/plugins/openid/lib/Auth/Yadis/ParseHTML.php @@ -66,29 +66,6 @@ class Auth_Yadis_ParseHTML { } /** - * Replace HTML entities (amp, lt, gt, and quot) as well as - * numeric entities (e.g. #x9f;) with their actual values and - * return the new string. - * - * @access private - * @param string $str The string in which to look for entities - * @return string $new_str The new string entities decoded - */ - function replaceEntities($str) - { - foreach ($this->_entity_replacements as $old => $new) { - $str = preg_replace(sprintf("/&%s;/", $old), $new, $str); - } - - // Replace numeric entities because html_entity_decode doesn't - // do it for us. - $str = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $str); - $str = preg_replace('~&#([0-9]+);~e', 'chr(\\1)', $str); - - return $str; - } - - /** * Strip single and double quotes off of a string, if they are * present. * @@ -216,7 +193,7 @@ class Auth_Yadis_ParseHTML { $link_attrs = array(); foreach ($attr_matches[0] as $index => $full_match) { $name = $attr_matches[1][$index]; - $value = $this->replaceEntities( + $value = html_entity_decode( $this->removeQuotes($attr_matches[2][$index])); $link_attrs[strtolower($name)] = $value; diff --git a/plugins/openid/lib/Auth/Yadis/XML.php b/plugins/openid/lib/Auth/Yadis/XML.php index cf1f5c41..2b8a20eb 100644 --- a/plugins/openid/lib/Auth/Yadis/XML.php +++ b/plugins/openid/lib/Auth/Yadis/XML.php @@ -234,7 +234,23 @@ class Auth_Yadis_dom extends Auth_Yadis_XMLParser { return false; } - if (!@$this->doc->loadXML($xml_string)) { + // libxml_disable_entity_loader (PHP 5 >= 5.2.11) + if (function_exists('libxml_disable_entity_loader') && function_exists('libxml_use_internal_errors')) { + // disable external entities and libxml errors + $loader = libxml_disable_entity_loader(true); + $errors = libxml_use_internal_errors(true); + $parse_result = @$this->doc->loadXML($xml_string); + libxml_disable_entity_loader($loader); + libxml_use_internal_errors($errors); + } else { + $parse_result = @$this->doc->loadXML($xml_string); + } + + if (!$parse_result) { + return false; + } + + if (isset($this->doc->doctype)) { return false; } @@ -331,11 +347,11 @@ function Auth_Yadis_getSupportedExtensions() function Auth_Yadis_getXMLParser() { global $__Auth_Yadis_defaultParser; - + if (isset($__Auth_Yadis_defaultParser)) { return $__Auth_Yadis_defaultParser; } - + foreach(Auth_Yadis_getSupportedExtensions() as $extension => $classname) { if (extension_loaded($extension)) @@ -345,7 +361,7 @@ function Auth_Yadis_getXMLParser() return $p; } } - + return false; } diff --git a/plugins/openid/lib/Auth/Yadis/XRDS.php b/plugins/openid/lib/Auth/Yadis/XRDS.php index 1f5af96f..044d1e76 100644 --- a/plugins/openid/lib/Auth/Yadis/XRDS.php +++ b/plugins/openid/lib/Auth/Yadis/XRDS.php @@ -429,7 +429,7 @@ class Auth_Yadis_XRDS { foreach ($filters as $filter) { - if (call_user_func_array($filter, array(&$service))) { + if (call_user_func_array($filter, array($service))) { $matches++; if ($filter_mode == SERVICES_YADIS_MATCH_ANY) { diff --git a/plugins/openid/lib/Auth/Yadis/Yadis.php b/plugins/openid/lib/Auth/Yadis/Yadis.php index 9ea2db7f..f8853671 100644 --- a/plugins/openid/lib/Auth/Yadis/Yadis.php +++ b/plugins/openid/lib/Auth/Yadis/Yadis.php @@ -141,7 +141,7 @@ function Auth_Yadis_getServiceEndpoints($input_url, $xrds_parse_func, } $yadis_result = call_user_func_array($discover_func, - array($input_url, &$fetcher)); + array($input_url, $fetcher)); if ($yadis_result === null) { return array($input_url, array()); |